From dccf57a095c78cf27c64618cb2b58aac5fa54127 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 11 Aug 2000 17:07:41 +0000 Subject: [PATCH] Add global access control. --- doc/guide/admin/slapdconfig.sdf | 94 ++++++++++++++++++--------------- 1 file changed, 50 insertions(+), 44 deletions(-) diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index 7fd3b82ec6..79f9054a3d 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -810,10 +810,11 @@ database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section: -E: 1. # example config file - global configuration section -E: 2. include /usr/local/etc/schema/core.schema -E: 3. referral ldap://root.openldap.org - +E: 1. # example config file - global configuration section +E: 2. include /usr/local/etc/schema/core.schema +E: 3. referral ldap://root.openldap.org +E: 4. access to * by * read + Line 1 is a comment. Lines 2 include another config file which containing {{core}} schema definitions. The {{EX:referral}} directive on line 3 @@ -821,6 +822,11 @@ means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host {{EX:root.openldap.org}}. +Line 4 is a global access control. It is applied after any +applicable database access control. Note that requests to +read objects which are not held by any backend (such as +the Root DSE) are only controlled by global directives. + The next section of the configuration file defines an LDBM backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. The @@ -829,59 +835,59 @@ truelies, the other on judgmentday. Indexes are to be maintained for several attributes, and the {{EX:userPassword}} attribute is to be protected from unauthorized access. -E: 4. # ldbm definition for the example.com -E: 5. database ldbm -E: 6. suffix "dc=example, dc=com" -E: 7. directory /usr/local/var/openldap -E: 8. rootdn "cn=Manager, dc=example, dc=com" -E: 9. rootpw secret -E: 10. # replication directives -E: 11. replogfile /usr/local/var/openldap/slapd.replog -E: 12. replica host=slave1.example.com:389 -E: 13. binddn="cn=Replicator, dc=example, dc=com" -E: 14. bindmethod=simple credentials=secret -E: 15. replica host=slave2.example.com -E: 16. binddn="cn=Replicator, dc=example, dc=com" -E: 17. bindmethod=simple credentials=secret -E: 18. # indexed attribute definitions -E: 19. index uid pres,eq -E: 20. index cn,sn,uid pres,eq,approx,sub -E: 21. index objectClass eq -E: 22. # ldbm access control definitions -E: 23. access to attr=userPassword -E: 24. by self write -E: 25. by anonymous auth -E: 26. by dn="cn=Admin,dc=example,dc=com" write -E: 27. by * none -E: 28. access to * -E: 29. by self write -E: 30. by anonymous auth -E: 31. by dn="cn=Admin,dc=example,dc=com" write -E: 32. by * read - -Line 4 is a comment. The start of the database definition is -marked by the database keyword on line 5. Line 6 specifies -the DN suffix for queries to pass to this database. Line 7 +E: 5. # ldbm definition for the example.com +E: 6. database ldbm +E: 7. suffix "dc=example, dc=com" +E: 8. directory /usr/local/var/openldap +E: 9. rootdn "cn=Manager, dc=example, dc=com" +E: 10. rootpw secret +E: 11. # replication directives +E: 12. replogfile /usr/local/var/openldap/slapd.replog +E: 13. replica host=slave1.example.com:389 +E: 14. binddn="cn=Replicator, dc=example, dc=com" +E: 15. bindmethod=simple credentials=secret +E: 16. replica host=slave2.example.com +E: 17. binddn="cn=Replicator, dc=example, dc=com" +E: 18. bindmethod=simple credentials=secret +E: 19. # indexed attribute definitions +E: 20. index uid pres,eq +E: 21. index cn,sn,uid pres,eq,approx,sub +E: 22. index objectClass eq +E: 23. # ldbm access control definitions +E: 24. access to attr=userPassword +E: 25. by self write +E: 26. by anonymous auth +E: 27. by dn="cn=Admin,dc=example,dc=com" write +E: 28. by * none +E: 29. access to * +E: 30. by self write +E: 31. by anonymous auth +E: 32. by dn="cn=Admin,dc=example,dc=com" write +E: 33. by * read + +Line 5 is a comment. The start of the database definition is +marked by the database keyword on line 6. Line 7 specifies +the DN suffix for queries to pass to this database. Line 8 specifies the directory in which the database files will live -Lines 8 and 9 identify the database "super user" entry and +Lines 9 and 10 identify the database "super user" entry and associated password. This entry is not subject to access control or size or time limit restrictions. -Lines 10 through 17 are for replication. Line 10 specifies the +Lines 11 through 18 are for replication. Line 11 specifies the replication log file (where changes to the database are logged -\- this file is written by slapd and read by slurpd). Lines 11 -through 13 specify the hostname and port for a replicated +\- this file is written by slapd and read by slurpd). Lines 12 +through 14 specify the hostname and port for a replicated host, the DN to bind as when performing updates, the bind method (simple) and the credentials (password) for the -binddn. Lines 14 through 17 specify a second replication site. +binddn. Lines 15 through 18 specify a second replication site. See the {{SECT:Replication with slurpd}} chapter for more information on these directives. -Lines 19 through 21 indicate the indexes to maintain for +Lines 20 through 22 indicate the indexes to maintain for various attributes. -Lines 23 through 32 specify access control for entries in the +Lines 24 through 33 specify access control for entries in the database. For all entries, the {{EX:userPassword}} attribute is writable by the entry and the "admin" entry, may be used for authentication/authorization purposes, but is otherwise not -- 2.39.5